Changeset - b9b719fb4774
Parent rev.
Child rev.
[Not reviewed]
stable
0 3 0
Thomas De Schampheleire - 7 years ago 2019-04-24 20:58:31
thomas.de_schampheleire@nokia.com
search: fix XSS vulnerability in search results

The search feature did not correctly escape all arguments when displaying
search matches and linking to the corresponding files.

An attacker that can control the contents of a repository could thus cause
a cross-site scripting (XSS) vulnerability.

Fix the problem by removing the overall h.literal call that is only needed
for the HTML entity » and splitting the link instead.

We take the opportunity to improving the destination of the part before
» which is the path to the repository. Instead of pointing to the
search result, point to the repository itself.
The part after » remains linked to the file containing the search
match.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
3 files changed with 9 insertions and 6 deletions:
kallithea/templates/search/search_commit.html
3
2
kallithea/templates/search/search_content.html
3
2
kallithea/templates/search/search_path.html
3
2
0 comments (0 inline, 0 general)
kallithea/templates/search/search_commit.html
Show inline comments
 
##commit highlighting
 

			




	
	
	
		
 
%for cnt,sr in enumerate(c.formated_results):

			




	
	
	
		
 
    %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):

			




	
	
	
		
 
        <div class="panel panel-default">

			




	
	
	
		
 
            <div class="panel-heading">

			




	
	
	
		
 
                ${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['raw_id'])),

			




	
	
	
		
 
                    h.url('changeset_home',repo_name=sr['repository'],revision=sr['raw_id']))}

			




	
	
	
		
 
                ${h.link_to(sr['repository'], h.url('summary_home', repo_name=sr['repository']))}

			




	
	
	
		
 
                &raquo;

			




	
	
	
		
 
                ${h.link_to(sr['raw_id'], h.url('changeset_home', repo_name=sr['repository'], revision=sr['raw_id']))}

			




	
	
	
		
 
                ${h.fmt_date(h.time_to_datetime(sr['date']))}

			




	
	
	
		
 
            </div>

			




	
	
	
		
 
            <div class="panel-body">

			




	
	
	
		
 
                <div class="author">

			




	
	
	
		
 
                    ${h.gravatar_div(h.email_or_none(sr['author']), size=20)}

			




	
	
	
		
 
                    <span>${h.person(sr['author'])}</span><br/>

			




	
	
	
		
 
                    <span>${h.email_or_none(sr['author'])}</span><br/>

			




	
	
	
		
 
                </div>

			




	
	
	
		
 
                %if sr['message_hl']:

			




	
	
	
		
 
                <div class="search-code-body">

			




	
	
	
		
 
                    <pre>${h.literal(sr['message_hl'])}</pre>

			




	
	
	
		
 
                </div>

			




        

    


    
    

    

        

                

                    kallithea/templates/search/search_content.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
	
		
 
##content highlighting

			




	
	
	
		
 

			




	
	
	
		
 
%for cnt,sr in enumerate(c.formated_results):

			




	
	
	
		
 
    %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):

			




	
	
	
		
 
        <div class="panel panel-default">

			




	
	
	
		
 
            <div class="panel-heading">

			




	
	
	
		
 
                ${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['f_path'])),

			




	
	
	
		
 
                    h.url('files_home',repo_name=sr['repository'],revision='tip',f_path=sr['f_path']))}

			




	
	
	
		
 
                ${h.link_to(sr['repository'], h.url('summary_home', repo_name=sr['repository']))}

			




	
	
	
		
 
                &raquo;

			




	
	
	
		
 
                ${h.link_to(sr['f_path'], h.url('files_home', repo_name=sr['repository'], revision='tip', f_path=sr['f_path']))}

			




	
	
	
		
 
            </div>

			




	
	
	
		
 
            <div class="panel-body search-code-body">

			




	
	
	
		
 
                <pre>${h.literal(sr['content_short_hl'])}</pre>

			




	
	
	
		
 
            </div>

			




	
	
	
		
 
        </div>

			




	
	
	
		
 
    %else:

			




	
	
	
		
 
        %if cnt == 0:

			




	
	
	
		
 
            <div class="alert alert-warning" role="alert">

			




	
	
	
		
 
                ${_('Permission denied')}

			




	
	
	
		
 
            </div>

			




	
	
	
		
 
        %endif

			




	
	
	
		
 
    %endif

			




        

    


    
    

    

        

                

                    kallithea/templates/search/search_path.html
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
	
		
 
##path search

			




	
	
	
		
 

			




	
	
	
		
 
%for cnt,sr in enumerate(c.formated_results):

			




	
	
	
		
 
    %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):

			




	
	
	
		
 
        <div class="panel panel-default">

			




	
	
	
		
 
            <div class="panel-heading">

			




	
	
	
		
 
                ${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['f_path'])),

			




	
	
	
		
 
                    h.url('files_home',repo_name=sr['repository'],revision='tip',f_path=sr['f_path']))}

			




	
	
	
		
 
                ${h.link_to(sr['repository'], h.url('summary_home', repo_name=sr['repository']))}

			




	
	
	
		
 
                &raquo;

			




	
	
	
		
 
                ${h.link_to(sr['f_path'], h.url('files_home', repo_name=sr['repository'], revision='tip', f_path=sr['f_path']))}

			




	
	
	
		
 
            </div>

			




	
	
	
		
 
        </div>

			




	
	
	
		
 
    %else:

			




	
	
	
		
 
        %if cnt == 0:

			




	
	
	
		
 
            <div class="alert alert-warning" role="alert">

			




	
	
	
		
 
                ${_('Permission denied')}

			




	
	
	
		
 
            </div>

			




	
	
	
		
 
        %endif

			




	
	
	
		
 
    %endif

			




	
	
	
		
 
%endfor

			




	
	
	
		
 
%if c.cur_query and c.formated_results:

			




	
	
	
		
 
    ${c.formated_results.pager()}

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.